Internet/Network Experts please

[Una_Persson]

I run the ZoneAlarm firewall on my DSL connection, and it will occaisonally report what it says are “attempts at security breaches” with my computers. Over the last few days, one series of IP’s have been trying many times to start a NetBios session on my PC. They are a list of about 20 or so on the 216.35.123.X domain.

My background - I have a decent understanding of TCP/IP and the coordination layers and how it works and it’s tools, but know little to nothing about NetBios, NetBUEI (sp), etc.

Three main questions:

1. What does it mean when another computer tries to start a NetBios session on mine? Does that mean it’s trying to use Windows shares?

2. Several sites recommend removing “NetBios over TCP/IP” in Windows 95, and give instructions on how to do that. Should I remove NetBios bindings to TCP/IP, or can this cause some net applications to stop working?

3. I ran a traceroute on one IP that was trying several times to start a NetBios session with me. So what was it trying to do? Below is the log. Any better way I can find out at least what ISP this computer is on?

---

Tracing route to 216.35.123.96 over a maximum of 30 hops

1 24 ms 32 ms 32 ms adsl-MYIPREMOVEDFORSECURITY.dsl.kscymo.swbell.net [MYIPREMOVEDFORSECURITY]

2 23 ms 24 ms 22 ms core1-fa1-1-0.kscymo.swbell.net [151.164.8.65]

3 21 ms 23 ms 23 ms edge1-fa0-1-0.kscymo.swbell.net [151.164.8.241]

4 21 ms 22 ms 23 ms mci1-core1-s1-0-0.atlas.digex.net [206.181.218.13]

5 31 ms 33 ms 30 ms okc1-core1-s0-0-0.atlas.digex.net [165.117.52.50]

6 38 ms 35 ms 37 ms dfw3-core1-s3-2.atlas.digex.net [165.117.56.5]

7 56 ms 56 ms 57 ms ord2-core4-pos5-0.atlas.digex.net [165.117.48.70]

8 58 ms 55 ms 56 ms ord2-core1-pos7-0.atlas.digex.net [165.117.48.89]

9 57 ms 57 ms 56 ms ord2-core2-pos7-0.atlas.digex.net [165.117.48.86]

10 55 ms 59 ms 58 ms ibr02-s2-7.okbr01.exodus.net [216.32.132.141]

11 98 ms 94 ms 96 ms bbr02-g2-0.okbr01.exodus.net [216.34.183.98]

12 97 ms 92 ms 93 ms bbr02-p0-0.sntc04.exodus.net [216.32.132.150]

13 93 ms 95 ms 91 ms dcr01-g6-0.sntc04.exodus.net [216.34.2.1]

14 96 ms 97 ms 94 ms rsm06-vlan921.sntc04.exodus.net [216.34.2.92]

15 95 ms 94 ms 91 ms 216.35.123.45

16 94 ms 92 ms 90 ms 216.35.123.96

Trace complete.

---

Thanks all!

[TheNerd]

Was this on port 139 by any chance? That’s the port used for windows sharing. It’s also the port that the infamous winnuke used to crash a machine remotely. That particular exploit has had a patch for a while, but port 139 is still commonly probed.

Honestly, there’s not a whole lot that can be done to the typical windows machine. It can be crashed by quite a few exploits, which is annoying, but does not give the attacker any actual access. Programs such as back orafice must have the trojan server running on the victim computer, so simply following common sense download practices provides protection.

If you’re running WinGate however (a proxy server for internet sharing), it used to be misconfigured by default which would allow an attacker to use your machine to reroute their traffic, thus masking their path as they go on to attack other machines.

Basically, the only thing that I can think can be done that might compromise the machine would be writing to a shared folder, and/or reading sensitive shared data. But in either case the folder has to be shared in the first place.

[Una_Persson]

**
Was this on port 139 by any chance? That’s the port used for windows sharing.
**

No, they were all on port 137. Close enough?

[HorseloverFat]

Yep, that is part of windows sharing features:

NetBIOS requests to UDP port 137 are the most common item you will see in your firewall reject logs. This comes about from a feature in Microsoft’s Windows: when a program resolves an IP address into a name, it may send a NetBIOS query to IP address. This is part of the background radiation of the Internet, and is nothing to be concerned about.

Note that you will see NetBIOS scans, such as from hackers running the Legion NetBIOS scanner or other scanners. In this case, you’ll likely see a scan of your entire address range. The important thing to remember is that few NetBIOS packets are from hostile intent.

Bookmark http://www.robertgraham.com/pubs/firewall-seen.html for info on what port numbers mean.

Regardless of what Robert Graham says no one should be trying use shares on my machine and I usually email the abuse people at their ISP. Put the numerical address into a reverse look-up like ARIN and you’ll see who the ISP is. samspade.com also offers this service and a lot more.

I doubt you have any net application trying to use windows sharing, they always use TCP/IP directly, not Microsoft’s sharing scheme. If you use file or print sharing on your LAN you shouldn’t remove it. I unbound my microsoft services from my TCP/IP protocol a long time ago and everything is still groovy. I think shieldsup.com has decent directions on how to do it.

[Una_Persson]

The perfect reply HorseloverFat, thank you. The ARIN site is one I’ve needed for a looooong time - I know how to use internic, and of course nslookup, but I was stupid and couldn’t find the reverse lookup.

What I’m getting is sorta strange - I’m not getting one IP accessing a bunch of ports, I’m getting 18 different IP’s from “exodus.net” (thanks to the lookup) that are all probing Port 137. To the best of my knowledge, I have never connected to their domain before.

If you e-mail their abuse center, do you ever get any response?

Maybe I’ll hook up my laptop (with NT) and run Tcpscan on them and see how they like it. No, they’d probably get too upset.

Tcpscan sure is fun to run at work - I found out that 2 other employees are running pornservers internally! Now, I’ve got some serious dirt on a couple people…

Since I do print sharing internally, I guess I shouldn’t unbind. I also have ordered a NAT box (the Linksys Etherfast DSL router) that has a built-in firewall. Of course, since I chat and game sometimes, I’ll need to put my primary PC in the DMZ anyways…

[HorseloverFat]

**
If you e-mail their abuse center, do you ever get any response?

Maybe I’ll hook up my laptop (with NT) and run Tcpscan on them and see how they like it. No, they’d probably get too upset.
**

Yep, after a couple days I’ll get a reply. I’m sure ISP’s have a legal obligation to keep track of malicious activities. Don’t bother scanning back because it’ll get you in trouble with your own ISP and for all you know the machines that are scanning you have already been compromised by someone else and if they’re dial-ups the IP addresses now belong to someone else.

[handy]

Norton makes an Internet Security software package, does it work for this sort of thing?

[London_Calling]

This is way over my head guys so forgive my ignorance.

Wouldn’t something like a .cgi script designed to detect your Internet setings (for example your language default setting - so as to serve the correct web pages) cause this ?

(I know it could be many things but I’m just curoius to know)

[Una_Persson]

I don’t know about the Norton package. I use ZoneAlarm (www.zonelabs.com) and it’s great. Has great featurs, decent help, and it’s freeware, not crippled, for personal use.

London, I don’t know the answer to your question exactly, but I would assume that the script would get the environment variables from the computer via port 80, the http port? I worte cgi a looooong time ago that did these things, and it got them all through port 80.